Personal data belonging to 5 million AirAsia passengers via AirAsia Malaysia, AirAsia Indonesia and AirAsia Thailand may have been leaked after the airline was hit by a purported ransomware attack. It was alleged that AirAsia was a victim of a Daixin Team ransomware attack and the attackers have shared two CSV files which contain personal details of passengers and employees.
The Daixin ransomware group has been on US’ Joint CyberSecurity Alert published on 21st October 2022. From the sample data, the CSV file contains the passenger ID, full name (first, middle and last), booking ID, total cost of ticket. Meanwhile, the CSV for employee data contains a wide array of details including photos, secret questions, secret answers, birth city, birth state, birth country and nationality.
According to DataBreaches, the ransomware attack took place on 11th and 12th November 2022 and it was alleged that AirAsia has responded to Daixin Team through a chat. After sharing the sample data, they claimed that AirAsia didn’t try to negotiate the ransom amount and had no intention of paying. The ransom amount was not disclosed but Daixin Team said they have avoided locking up critical files related to flying equipment as part of their avoidance of encrypting or destroying anything that could be life-threatening.
A ransomware attack usually involves a malicious file that will encrypt all data on the server and the victim will have to pay the ransom to get their data back. According to Akamai, 71% of organisations in Asia Pacific have paid ransom fees between USD 100,000 to USD 1 million (RM458,330 – RM4.58 million), while 13% have paid between USD 1 million and USD 5 million (RM4.58 million – RM22.92 million). Ransomware attacks can severely disrupt airline operations. In May this year, hundreds of passengers were left stranded after Indian-based SpiceJet was hit by an attempted ransomware attack.
Daixin Team’s spokesperson told DataBreaches that the poor organisation of AirAsia Group had spared the company from further attacks. While they have encrypted a lot of resources and deleted backups, they didn’t proceed to cause more damage. It said, the group refused to pick through the garbage for a long time. As our pentester said, “Let the newcomers sort this trash, they have a lot of time.”
Besides leaking the passenger info on their dedicated leak site, the Daixin team said it plans to reveal more information about the network including the backdoors privately and freely on hacker forums.
We have reached out to AirAsia for further details on the matter.
Malaysia has been seeing a rise in personal data breaches with at least 3,699 reported incidents since 2017. Back in 2019, Malindo Air (now Batik Air) acknowledged a data breach which came from two former employees of its eCommerce service provider. Most recently, there was a data breach at Carousell involving 2.6 million users while personal data allegedly from the National Registration Department (JPN) and Election Commission including eKYC photos were sold online.
Despite the major breaches involving the personal data of Malaysian citizens, caretaker Home Affairs Minister Dato Seri Hamzah Zainuddin denies it came from JPN, while caretaker Defence Minister Datuk Seri Hishamuddin Hussien said the data breach does not jeopardise national security.